RE: ASA site-to-site VPN problem

Assuming there is nothing wrong with that ACL, it's normal behavior for packet tracer to fail the first packet through as it's still bringing up phase 1 and 2 of the tunnel. If you run the packet tracer twice, you should see the crypto hits and encapsulation information. I don't think it's a "bad practice" to use packet tracer either. If you control all the devices in question and can get meaningful data from the hosts on either side, then packet tracer is less useful. However, this is typically not the case with most businesses where security roles and systems engineering are compartmentalized. Working on firewalls with hundreds of partners, the path of least resistance in most cases is to initiate a few packet tracers to bring up the tunnel and pre-validate your work.

Have you verified it's not a path MTU issue?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Bogdan Sass
Sent: Monday, June 01, 2009 4:02 AM
To: Farrukh Haroon
Cc: Cisco certification
Subject: Re: ASA site-to-site VPN problem

Farrukh Haroon wrote:
> Why are you using this strange mask in the ACL?
>
> 10.1.1.15 255.255.252.255
>
>
    Hmmm... good question :) . I didn't notice that (the config was not
written by me - I was just called to troubleshoot it). However, I have
come upon this problem on several devices, so it shouldn't be related to
the mask.

    Nevertheless, I will ask about the mask, and I will let you know
what I find out. Thank you!!

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net